[libvirt] nwfilter - limit VM traffic to specific mac address
Hi, I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway. I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/: <filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface> in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1 vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1 but the filter is not working, I can ping the VMs from each other, Am I missing something? Thanks, Shahar Havivi.
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet: <filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1
vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1
but the filter is not working, I can ping the VMs from each other,
Am I missing something? Try the above filter that puts the check into a different 'chain' into different order. I'll be introducing a 'mac' chain where this can then be put into rather than into the 'ipv4' chain. The challenging part about the filtering rules is their order and the XML can unfortunately not abstract this 'away'.
Stefan
Thanks, Shahar Havivi.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well...
VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1
vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1
but the filter is not working, I can ping the VMs from each other,
Am I missing something? Try the above filter that puts the check into a different 'chain' into different order. I'll be introducing a 'mac' chain where this can then be put into rather than into the 'ipv4' chain. The challenging part about the filtering rules is their order and the XML can unfortunately not abstract this 'away'.
Stefan
Thanks, Shahar Havivi.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry). Stefan
VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1
vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1
but the filter is not working, I can ping the VMs from each other,
Am I missing something? Try the above filter that puts the check into a different 'chain' into different order. I'll be introducing a 'mac' chain where this can then be put into rather than into the 'ipv4' chain. The challenging part about the filtering rules is their order and the XML can unfortunately not abstract this 'away'.
Stefan
Thanks, Shahar Havivi.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter...
VM1 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:53"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
VM2 domian xml portion: <interface type="bridge"> <mac address="00:1a:4a:16:01:52"/> <model type="virtio"/> <source bridge="red"/> <filterref filter="isolatedprivatevlan-vdsm"> <parameter name="GATEWAY_MAC" value="00:00:0c:07:ac:00"/> </filterref> </interface>
in each VM (Fedora 15 LiveCD) I assign ip: # ifconfig eth0 10.35.1.240 netmask 255.255.254.0 # route add default gw 10.35.1.1
vm2: # ifconfig eth0 10.35.1.241 netmask 255.255.254.0 # route add default gw 10.35.1.1
but the filter is not working, I can ping the VMs from each other,
Am I missing something? Try the above filter that puts the check into a different 'chain' into different order. I'll be introducing a 'mac' chain where this can then be put into rather than into the 'ipv4' chain. The challenging part about the filtering rules is their order and the XML can unfortunately not abstract this 'away'.
Stefan
Thanks, Shahar Havivi.
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter...
While you ping the gateway, can you re-add the above line to the filter? Stefan
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote:
Hi,
I want to limit VM traffic to a specific MAC address, ie VMs cannot traffic each other other then a specific gateway.
I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml located in /etc/libvirt/nwfilter/:
<filter name='isolatedprivatevlan-vdsm' chain='root'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='500'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter>
Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter...
While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote:
On 11/07/2011 04:25 AM, Shahar Havivi wrote: > Hi, > > I want to limit VM traffic to a specific MAC address, ie VMs cannot > traffic each other other then a specific gateway. > > I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml > located in /etc/libvirt/nwfilter/: > > <filter name='isolatedprivatevlan-vdsm' chain='root'> > <filterref filter='clean-traffic'/> > <rule action='drop' direction='out' priority='500'> > <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > </rule> > </filter> > Try this one -- it works in 'my' subnet:
<filter name='isolatedprivatevlan-vdsm' chain='ipv4'> <filterref filter='clean-traffic'/> <rule action='drop' direction='out' priority='10'> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> </rule> </filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter... While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address? In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface? Stefan
On 09.11.11 10:49, Stefan Berger wrote:
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 08.11.11 16:34, Stefan Berger wrote: >On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>Hi, >> >>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>traffic each other other then a specific gateway. >> >>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>located in /etc/libvirt/nwfilter/: >> >><filter name='isolatedprivatevlan-vdsm' chain='root'> >> <filterref filter='clean-traffic'/> >> <rule action='drop' direction='out' priority='500'> >> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >> </rule> >></filter> >> >Try this one -- it works in 'my' subnet: > ><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> > <filterref filter='clean-traffic'/> > <rule action='drop' direction='out' priority='10'> > <mac match='no' dstmacaddr='$GATEWAY_MAC'/> > </rule> ></filter> Thanks, Now it is blocking the traffic but I can't get traffic to the gateway as well... That's odd. Can you ping the gateway from the VM? Is it typically
On 11/09/2011 04:01 AM, Shahar Havivi wrote: ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter... While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address?
In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface?
Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP How can I set the IP in the case?
On 10.11.11 11:30, Shahar Havivi wrote:
On 09.11.11 10:49, Stefan Berger wrote:
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote:
On 11/09/2011 04:01 AM, Shahar Havivi wrote: >On 08.11.11 16:34, Stefan Berger wrote: >>On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>Hi, >>> >>>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>traffic each other other then a specific gateway. >>> >>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>located in /etc/libvirt/nwfilter/: >>> >>><filter name='isolatedprivatevlan-vdsm' chain='root'> >>> <filterref filter='clean-traffic'/> >>> <rule action='drop' direction='out' priority='500'> >>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>> </rule> >>></filter> >>> >>Try this one -- it works in 'my' subnet: >> >><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >> <filterref filter='clean-traffic'/> >> <rule action='drop' direction='out' priority='10'> >> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >> </rule> >></filter> >Thanks, >Now it is blocking the traffic but I can't get traffic to the gateway as >well... That's odd. Can you ping the gateway from the VM? Is it typically ping-able? Are you sure you specified the correct MAC addresses -- check with 'arp -n' on a host in the same subnet and see what it shows for the gateway (ping it if you don't see an entry).
Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter... While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address?
In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface?
Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
How can I set the IP in the case? Ok, its working when I set the IP in the filter: <filterref filter='clean-traffic'> <parameter name='IP' value='10.35.16.50'/> </filterref>
I guess its the only solution...?
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 10.11.11 11:30, Shahar Havivi wrote:
On 09.11.11 10:49, Stefan Berger wrote:
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote:
On 09.11.11 06:44, Stefan Berger wrote: > On 11/09/2011 04:01 AM, Shahar Havivi wrote: >> On 08.11.11 16:34, Stefan Berger wrote: >>> On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>> Hi, >>>> >>>> I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>> traffic each other other then a specific gateway. >>>> >>>> I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>> located in /etc/libvirt/nwfilter/: >>>> >>>> <filter name='isolatedprivatevlan-vdsm' chain='root'> >>>> <filterref filter='clean-traffic'/> >>>> <rule action='drop' direction='out' priority='500'> >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>> </rule> >>>> </filter> >>>> >>> Try this one -- it works in 'my' subnet: >>> >>> <filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>> <filterref filter='clean-traffic'/> >>> <rule action='drop' direction='out' priority='10'> >>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>> </rule> >>> </filter> >> Thanks, >> Now it is blocking the traffic but I can't get traffic to the gateway as >> well... > That's odd. Can you ping the gateway from the VM? Is it typically > ping-able? Are you sure you specified the correct MAC addresses -- > check with 'arp -n' on a host in the same subnet and see what it > shows for the gateway (ping it if you don't see an entry). > > Stefan It's working only when I remove the line <filterref filter='clean-traffic'/> from the filter... While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address?
In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface?
Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
How can I set the IP in the case? Ok, its working when I set the IP in the filter: <filterref filter='clean-traffic'> <parameter name='IP' value='10.35.16.50'/> </filterref>
I guess its the only solution...? The IP address in the parameter XML node has to match the one assigned to the interface inside the VM. If they don't match nothing works. If you leave out the line '<parameter name=.../>' then this will start
On 11/10/2011 05:21 AM, Shahar Havivi wrote: libvirt's IP address learning/detection that will lock your VM into the first IP address it detects that the VM is using on a particular interface. This should also work. Stefan
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
On 10.11.11 06:25, Stefan Berger wrote:
On 11/10/2011 05:21 AM, Shahar Havivi wrote:
On 10.11.11 11:30, Shahar Havivi wrote:
On 09.11.11 10:49, Stefan Berger wrote:
On 11/09/2011 09:38 AM, Shahar Havivi wrote:
On 09.11.11 09:20, Stefan Berger wrote:
On 11/09/2011 07:44 AM, Shahar Havivi wrote: >On 09.11.11 06:44, Stefan Berger wrote: >>On 11/09/2011 04:01 AM, Shahar Havivi wrote: >>>On 08.11.11 16:34, Stefan Berger wrote: >>>>On 11/07/2011 04:25 AM, Shahar Havivi wrote: >>>>>Hi, >>>>> >>>>>I want to limit VM traffic to a specific MAC address, ie VMs cannot >>>>>traffic each other other then a specific gateway. >>>>> >>>>>I am using custom nwfilter name: isolatedprivatevlan-vdsm.xml >>>>>located in /etc/libvirt/nwfilter/: >>>>> >>>>><filter name='isolatedprivatevlan-vdsm' chain='root'> >>>>> <filterref filter='clean-traffic'/> >>>>> <rule action='drop' direction='out' priority='500'> >>>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>>> </rule> >>>>></filter> >>>>> >>>>Try this one -- it works in 'my' subnet: >>>> >>>><filter name='isolatedprivatevlan-vdsm' chain='ipv4'> >>>> <filterref filter='clean-traffic'/> >>>> <rule action='drop' direction='out' priority='10'> >>>> <mac match='no' dstmacaddr='$GATEWAY_MAC'/> >>>> </rule> >>>></filter> >>>Thanks, >>>Now it is blocking the traffic but I can't get traffic to the gateway as >>>well... >>That's odd. Can you ping the gateway from the VM? Is it typically >>ping-able? Are you sure you specified the correct MAC addresses -- >>check with 'arp -n' on a host in the same subnet and see what it >>shows for the gateway (ping it if you don't see an entry). >> >> Stefan >It's working only when I remove the line > <filterref filter='clean-traffic'/> >from the filter... While you ping the gateway, can you re-add the above line to the filter?
Stefan its working, even when stopping the ping and re-pinging the gateway, but it stop working after I stop and started the VM.
How does the VM get its IP address, static or DHCP ? If DHCP, could you try a static IP address?
In case it doesn't work, what does 'ebtables -t nat -L' show and which IP address is assigned to the VM's interface?
Stefan static ip, the ebtables output show ip 0.0.0.0 for the VM mac address:
Bridge chain: I-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -s 0:1a:4a:16:1:52 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
Bridge chain: O-vnet0-rarp, entries: 2, policy: ACCEPT -p 0x8035 -d Broadcast --arp-op Request_Reverse --arp-ip-src 0.0.0.0 --arp-ip-dst 0.0.0.0 --arp-mac-src 0:1a:4a:16:1:52 --arp-mac-dst 0:1a:4a:16:1:52 -j ACCEPT -j DROP
How can I set the IP in the case? Ok, its working when I set the IP in the filter: <filterref filter='clean-traffic'> <parameter name='IP' value='10.35.16.50'/> </filterref>
I guess its the only solution...? The IP address in the parameter XML node has to match the one assigned to the interface inside the VM. If they don't match nothing works. If you leave out the line '<parameter name=.../>' then this will start libvirt's IP address learning/detection that will lock your VM into the first IP address it detects that the VM is using on a particular interface. This should also work.
Stefan Thank you Stefan
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
participants (2)
-
Shahar Havivi -
Stefan Berger